IPv6 with SixXS and MirOS

Sponsored by
HostEurope Logo

IPv6 with SixXS and MirOS


Recently, the ipng.org.uk tunnel broker went down, and, looking for alternatives, most of the MirOS team and our friends has decided to go and use the SixXS tunnel broker.

Because this is not an advertising article, I'd like to point out that Freenet6 (see MirPorts) and XS26 are other large public TSPs.

Setting up a handle

Most people who are experimenting with IPv6 just need a 6BONE handle, but the MirOS developers have gotten RIPE (European) handles because they are using IPv6 productively. Asian users should go to APNIC, American users to ARIN, latino-americanos to LACNIC instead.

The set-up procedure is pretty much the same for all these NICs, with 6BONE using the RIPE format for entries, but not requiring a MNTNER.

If you are going to register a RIPE handle, you must let a person maintain it - that is, if you ever need to change it, the maintainer person has to PGP sign the change request, so nobody can play around with your handle. Maintainers are people with knowledge and work in the NOC area, so not everybody can (or should, for that matter), be their own MNTNER. Jeroen Massar of SixXS points out nicely that you should just "ask your friendly LIR" (local internet registry); if you don't know one, ask a server hoster or ISP nearby. Both MirOS developers are admins enough to be RIPE NCC MNTNERs.

In order to get a handle, first retrieve the form to fill out using

$ whois -h whois.ripe.net -- -t\ person

(for a person object, which is what you are going to create)
Then email the filled out person object, including the MNT-BY attribute, to your friendly maintainer, or, if you are not going to have it maintained from the very beginning, to the RIPE NCC or 6BONE database backend.

What if you're stuck or want to know more?

Detailed help for the RIPE whois database is at the RIPE NCC database reference manual; this site at Hexago (former Viagénie) is a nice interface to the 6BONE registry.

Registering with SixXS

Registering is a fairly simple process. Just go to the SixXS website and enter your whois handle, password and a good reason why you want an IPv6 tunnel and can't get a native upstream.

Getting your tunnel

Log in at SixXS $HOME and ask for a heartbeat tunnel if you're on dial-up, or for a standard tunnel if you're on a dedicated line. A week later, you've got enough credits to get your own subnet.


Setting up the heartbeat client

Well... since you're already using the MirOS, you should know how to use MirPorts to install the net/sixxs-heartbeat client. As for the configuration file; it's got a good sample.
Note: we might write our own heartbeat dæmon once the protocol is finished.

Some configuration work

I've got these lines in my /etc/ppp/ip-up which is called either by pppd(8) (if I'm on modem) or ppp(8) (if I'm on ISDN or PPPoE-ADSL):

ps ax|grep sixxs|grep -v grep|while read pid rest; do
        kill $pid
ifconfig gif0 up
nice -n -1 /usr/local/sbin/sixxs-heartbeatd /etc/ppp/heartbeat.conf
route add -inet6 default fe80::%gif0 -mtu 1280

These lines are needed to initialize an unnumbered tunnel, in contrast to a numbered tunnel you need if you don't yet have a subnet. Please note that the SixXS staff does not want me to advertise the usage of unnumbered tunnels, or to use it at all.

Further setup

Numbered tunnels without subnet

Simply configure an IP address to the gif0 interface before setting the route to it. This looks as follows:

ps ax|grep sixxs|grep -v grep|while read pid rest; do
        kill $pid
ifconfig gif0 up
nice -n -1 /usr/local/sbin/sixxs-heartbeatd /etc/ppp/heartbeat.conf
ifconfig gif0 inet6 2001:6f8:900:XXXX::2 \
    2001:6f8:900:XXXX::1 prefixlen 128 alias
route add -inet6 default 2001:6f8:900:XXXX::1 -mtu 1280

Numbered tunnels with subnet

SixXS wants you to do this. As for the tunnel configuration, see above - for the subnet configuration, see below. You must not add the pf.conf(5) entry below.

Unnumbered tunnels with subnet

You will need a line like the following in your pf.conf(5) unless you're fine with SixXS thinking you've got 100% packet loss (and eventually shutting down your tunnel):

rdr on gif0 inet6 from any to 2001:6f8:900:XXXX::2  -> 2001:6f8:YYYY:1::1

The first of these addresses is your assigned tunnel space, whereas the second address is the one the router got assigned on one of the local networks. (The interface must be always up and working.)
Please note that you should not use the very first subnet, i.e. 2001:6f8:YYYY:0::/64, nor the last (replace 0 by FFFF), on IPv6 - you've got 65534 other subnets for physical lines to use.

You will also need to set up your router for each of the physical interfaces on which a subnet is delegated to:

# /etc/hostname.fxp0
inet 0xFFFFFF00
inet6 2001:6f8:YYYY:1::1 64
inet6 2001:6f8:YYYY:1:: 64 anycast

This is just an example - it could look differently. As per RFC, a subnet router must listen on the anycast address which has the network address it routes on, and the host part set all zero, which is the last line in the above example.

# /etc/rtadvd.conf

I'm still waiting for SixXS to reply to me, telling what their maximum supported MTU is - until then, I'm using the minimum supported, which would be 1280 (IPv6 does not work on lower MTUs).
You have to start rtadvd(8) via /etc/rc.conf.local and enable the IPv6 routing in /etc/sysctl.conf - but then, you're a professional MirOS admin, aren't you?

Firewalling considerations

At the very least, you must pass "inet proto 41" on the outgoing interface (basically tun0 or ppp0) and inet6 traffic, including icmp6 (for SixXS' ping requests), on the gif0 interface. If something does not work, there are two dings to do at once:

  1. Sync the clock: rdate -ncv[a] ptbtime2.ptb.de
  2. Shut off the firewall: pfctl -d


djbdns is IPv6 capable, you need the no_ipv4 flavour installed parallely to the default one if you need IPv6 transport support (as opposed to IPv6 RR support, i.e. IN AAAA). Our resolver seems to not be IPv6-transport capable, or at least I haven't got an entry like nameserver ::1 in resolv.conf(5) to work. Bind9 looks like it could support IPv6, too.

Lynx and Apache are both IPv6 capable, so just adding
::1 localhost6
to /etc/hosts and typing $ lynx localhost6 should work if you started Apache. You can, after enabling the tunnel, test from outside and to outside (herc.v6.mirbsd.org for example), too. The SixXS site also displays which transport you are using.

We still can't support IPv4-mapped addresses (that is, listening to [::] (the IN6ADDR_ANY) does not get the dæmon IPv4 connections. Jun-ichiro itojun Hagino of OpenBSD thinks this is a great idea, but we do not - so if someone is skilled enough to patch that behaviour back into the MirOS BSD kernel, you're welcome.

IRC via IPv6 is cool. Just don't spam with your reverse DNS.

Other things

ECMAscript-only IPv6 certification, knowledge tests, etc. by he.net (America)
IPv6 Certification Badge for MirBSD IPv6 Certification Badge for mirabilos

MirOS Logo